I posted this in a dedicated AWS workspace to no avail so posting here too in case anyone has any ideas I want to be able to provision users with a standard set of policies across multiple accounts created using Control Tower Account Factory. I.e. there'd be a user in each AWS account that had the same centralised set of policies applied. It seems like I need to use a Permission Set in SSO that can then be applied to a user when it's created. However, the only options that gives me is to select up to 10 AWS Managed Policies or create a single custom policy. The policies we want to apply are quite detailed as they're to enable a user to deploy a variety of AWS resources for a serverless deployment. It appears that if we go this route that we'd need to paste the content of all of our policies into a single Permission Set policy. I haven't tried yet as this seems a bit weird to me but I'd be surprised if the size of it was allowed. Am I thinking about this wrong or missing something? Any guidance greatly appreciated.

Hey @Ross Coundon I’m not too familiar with Control Tower. If I understand you use case, so you currently have a couple of self managed policies with permission to different AWS resources for ur serverless deployment. And you want to set up CT in a way to auto provision an IAM user in each of the AWS account with these policies.

Thanks Frank, that’s really kind. That’s exactly it. Control Tower allows you to define permission sets which are effectively IAM policies but they’re limited in size and when you login using SSO, you’re only able to select one. My user will be logging in programmatically rather than through the console so maybe there’s something more appropriate to use than Control Tower to create it but we want to make account set up very quick and easy which the Account Factory feature originally seemed perfect for.

Oh I see. Thanks for the update!